For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/default_rules/def-000-5vo.md. A documentation index is available at /llms.txt.

Configure Firewalld to Use the Nftables Backend

Description

Firewalld can be configured with many backends, such as nftables.

Rationale

Nftables is modern kernel module for controlling network connections coming into a system. Utilizing the limit statement in “nftables” can help to mitigate DoS attacks.

Remediation

Shell script

The following script can be run on the host to remediate the issue.

#!/bin/bash

# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel-core && { rpm --quiet -q firewalld; }; then

if [ -e "/etc/firewalld/firewalld.conf" ] ; then
    
    LC_ALL=C sed -i "/^\s*FirewallBackend\s*=\s*/d" "/etc/firewalld/firewalld.conf"
else
    touch "/etc/firewalld/firewalld.conf"
fi
# make sure file has newline at the end
sed -i -e '$a\' "/etc/firewalld/firewalld.conf"

cp "/etc/firewalld/firewalld.conf" "/etc/firewalld/firewalld.conf.bak"
# Insert before the line matching the regex '^#\s*FirewallBackend'.
line_number="$(LC_ALL=C grep -n "^#\s*FirewallBackend" "/etc/firewalld/firewalld.conf.bak" | LC_ALL=C sed 's/:.*//g')"
if [ -z "$line_number" ]; then
    # There was no match of '^#\s*FirewallBackend', insert at
    # the end of the file.
    printf '%s\n' "FirewallBackend=nftables" >> "/etc/firewalld/firewalld.conf"
else
    head -n "$(( line_number - 1 ))" "/etc/firewalld/firewalld.conf.bak" > "/etc/firewalld/firewalld.conf"
    printf '%s\n' "FirewallBackend=nftables" >> "/etc/firewalld/firewalld.conf"
    tail -n "+$(( line_number ))" "/etc/firewalld/firewalld.conf.bak" >> "/etc/firewalld/firewalld.conf"
fi
# Clean up after ourselves.
rm "/etc/firewalld/firewalld.conf.bak"

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Ansible playbook

The following playbook can be run with Ansible to remediate the issue.

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-86506-3
  - DISA-STIG-RHEL-08-040150
  - NIST-800-53-SC-5
  - firewalld-backend
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Setting unquoted shell-style assignment of 'FirewallBackend' to 'nftables'
    in '/etc/firewalld/firewalld.conf'
  block:

  - name: Check for duplicate values
    ansible.builtin.lineinfile:
      path: /etc/firewalld/firewalld.conf
      create: true
      regexp: (?i)^\s*FirewallBackend=
      state: absent
    check_mode: true
    changed_when: false
    register: dupes

  - name: Deduplicate values from /etc/firewalld/firewalld.conf
    ansible.builtin.lineinfile:
      path: /etc/firewalld/firewalld.conf
      create: true
      regexp: (?i)^\s*FirewallBackend=
      state: absent
    when: dupes.found is defined and dupes.found > 1

  - name: Insert correct line to /etc/firewalld/firewalld.conf
    ansible.builtin.lineinfile:
      path: /etc/firewalld/firewalld.conf
      create: true
      regexp: (?i)^\s*FirewallBackend=
      line: FirewallBackend=nftables
      state: present
      insertbefore: ^# FirewallBackend
      validate: /usr/bin/bash -n %s
  when:
  - '"kernel-core" in ansible_facts.packages'
  - '"firewalld" in ansible_facts.packages'
  tags:
  - CCE-86506-3
  - DISA-STIG-RHEL-08-040150
  - NIST-800-53-SC-5
  - firewalld-backend
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy